Cisco WS-C3560V2-24TS-E Command Reference - Page 107
permit icmp any any nd-ns
View all Cisco WS-C3560V2-24TS-E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 107 highlights
Chapter 2 Catalyst 3560 Switch Cisco IOS Commands deny (IPv6 access-list configuration) Note Although visible in the command-line help strings, the flow-label, routing, and undetermined-transport keywords are not supported. Defaults No IPv6 access list is defined. Command Modes IPv6 access list configuration Command History Release 12.2(25)SED Modification This command was introduced. Usage Guidelines The deny (IPv6 access-list configuration mode) command is similar to the deny (IPv4 access-list configuration mode) command, except that it is IPv6-specific. Use the deny (IPv6) command after the ipv6 access-list command to enter IPv6 access list configuration mode and to define the conditions under which a packet passes the access list. Specifying IPv6 for the protocol argument matches against the IPv6 header of the packet. By default, the first statement in an access list is number 10, and the subsequent statements are numbered in increments of 10. You can add permit, deny, or remark statements to an existing access list without re-entering the entire list. To add a new statement anywhere other than at the end of the list, create a new statement with an appropriate entry number that falls between two existing entry numbers to show where it belongs. Note Every IPv6 ACL has implicit permit icmp any any nd-na, permit icmp any any nd-ns, and deny ipv6 any any statements as its last match conditions. The two permit conditions allow ICMPv6 neighbor discovery. To disallow ICMPv6 neighbor discovery and to deny icmp any any nd-na or icmp any any nd-ns, there must be an explicit deny entry in the ACL. For the implicit deny ipv6 any any statement to take effect, an IPv6 ACL must contain at least one entry. The IPv6 neighbor discovery process uses the IPv6 network layer service. Therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, uses a separate data-link layer protocol. Therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface. Both the source-ipv6-prefix/prefix-length and destination-ipv6-prefix/prefix-length arguments are used for traffic filtering. (The source prefix filters traffic based upon the traffic source; the destination prefix filters traffic based upon the traffic destination.) The switch supports only prefixes from /0 to /64 and EUI-based /128 prefixes for aggregatable global unicast and link-local host addresses. The fragments keyword is an option only if the protocol is ipv6 and the operator [port-number] arguments are not specified. 78-16405-05 Catalyst 3560 Switch Command Reference 2-75